Hardware-Assisted MMU Redirection for In-Guest Monitoring and API Profiling
| Autor: | Meng Chang Chen, Shun-Wen Hsiao, Yeali S. Sun |
|---|---|
| Rok vydání: | 2020 |
| Předmět: |
021110 strategic
defence & security studies Software_OPERATINGSYSTEMS CPU modes Computer Networks and Communications business.industry Computer science 0211 other engineering and technologies Hypervisor Cloud computing 02 engineering and technology computer.software_genre Virtualization Shared resource Virtual machine Malware Safety Risk Reliability and Quality business Page table computer Computer hardware |
| Zdroj: | IEEE Transactions on Information Forensics and Security. 15:2402-2416 |
| ISSN: | 1556-6021 1556-6013 |
| DOI: | 10.1109/tifs.2020.2969514 |
| Popis: | With the advance of hardware, network, and virtualization technologies, cloud computing has prevailed and become the target of security threats such as the cross virtual machine (VM) side channel attack, with which malicious users exploit vulnerabilities to gain information or access to other guest virtual machines. Among the many virtualization technologies, the hypervisor manages the shared resource pool to ensure that the guest VMs can be properly served and isolated from each other. However, while managing the shared hardware resources, due to the presence of the virtualization layer and different CPU modes (root and non-root mode), when a CPU is switched to non-root mode and is occupied by a guest machine, a hypervisor cannot intervene with a guest at runtime. Thus, the execution status of a guest is like a black box to a hypervisor, and the hypervisor cannot mediate possible malicious behavior at runtime. To rectify this, we propose a hardware-assisted VMI (virtual machine introspection) based in-guest process monitoring mechanism which supports monitoring and management applications such as process profiling. The mechanism allows hooks placed within a target process (which the security expert selects to monitor and profile) of a guest virtual machine and handles hook invocations via the hypervisor. In order to facilitate the needed monitoring and/or management operations in the guest machine, the mechanism redirects access to in-guest memory space to a controlled, self-defined memory within the hypervisor by modifying the extended page table (EPT) to minimize guest and host machine switches. The advantages of the proposed mechanism include transparency, high performance, and comprehensive semantics. To demonstrate the capability of the proposed mechanism, we develop an API profiling system (APIf) to record the API invocations of the target process. The experimental results show an average performance degradation of about 2.32%, far better than existing similar systems. |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|